Moderate severityNVD Advisory· Published Feb 27, 2024· Updated Feb 13, 2025
Possible Sensitive Session Information Leak in Active Storage
CVE-2024-26144
Description
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activestorageRubyGems | >= 5.2.0, < 6.1.7.7 | 6.1.7.7 |
activestorageRubyGems | >= 7.0.0, < 7.0.8.1 | 7.0.8.1 |
Affected products
1Patches
2723f54566023Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers
4 files changed · +22 −0
activestorage/app/controllers/active_storage/blobs/proxy_controller.rb+1 −0 modified@@ -9,6 +9,7 @@ class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController include ActiveStorage::SetBlob include ActiveStorage::Streaming + include ActiveStorage::DisableSession def show if request.headers["Range"].present?
activestorage/app/controllers/active_storage/representations/proxy_controller.rb+1 −0 modified@@ -8,6 +8,7 @@ # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers]. class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController include ActiveStorage::Streaming + include ActiveStorage::DisableSession def show http_cache_forever public: true do
activestorage/app/controllers/concerns/active_storage/disable_session.rb+12 −0 added@@ -0,0 +1,12 @@ +# frozen_string_literal: true + +# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare. +module ActiveStorage::DisableSession + extend ActiveSupport::Concern + + included do + before_action do + request.session_options[:skip] = true + end + end +end
activestorage/CHANGELOG.md+8 −0 modified@@ -1,3 +1,11 @@ +* Disables the session in `ActiveStorage::Blobs::ProxyController` + and `ActiveStorage::Representations::ProxyController` + in order to allow caching by default in some CDNs as CloudFlare + + Fixes #44136 + + *Bruno Prieto* + ## Rails 7.0.8 (September 09, 2023) ## * No changes.
78fe149509faMerge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers
4 files changed · +22 −0
activestorage/app/controllers/active_storage/blobs/proxy_controller.rb+1 −0 modified@@ -4,6 +4,7 @@ class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController include ActiveStorage::SetBlob include ActiveStorage::SetHeaders + include ActiveStorage::DisableSession def show http_cache_forever public: true do
activestorage/app/controllers/active_storage/representations/proxy_controller.rb+1 −0 modified@@ -3,6 +3,7 @@ # Proxy files through application. This avoids having a redirect and makes files easier to cache. class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController include ActiveStorage::SetHeaders + include ActiveStorage::DisableSession def show http_cache_forever public: true do
activestorage/app/controllers/concerns/active_storage/disable_session.rb+12 −0 added@@ -0,0 +1,12 @@ +# frozen_string_literal: true + +# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare. +module ActiveStorage::DisableSession + extend ActiveSupport::Concern + + included do + before_action do + request.session_options[:skip] = true + end + end +end
activestorage/CHANGELOG.md+8 −0 modified@@ -1,3 +1,11 @@ +* Disables the session in `ActiveStorage::Blobs::ProxyController` + and `ActiveStorage::Representations::ProxyController` + in order to allow caching by default in some CDNs as CloudFlare + + Fixes #44136 + + *Bruno Prieto* + ## Rails 6.1.7.6 (August 22, 2023) ## * No changes.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-8h22-8cf7-hq6gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-26144ghsaADVISORY
- discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945ghsax_refsource_MISCWEB
- github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433ghsax_refsource_MISCWEB
- github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6gghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.ymlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.ymlghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20240510-0013ghsaWEB
- security.netapp.com/advisory/ntap-20240510-0013/mitre
News mentions
0No linked articles in our index yet.